Let’s face it, passwords are a pain. As we’ve been pushed towards using longer and ever more complex passwords, and told to update them with increasing frequency, password management has become something of a headache. We’ve gone from simple, easy to remember passwords to 12- or 16-character passwords that must contain a mixture of upper and lowercase letters, numbers and symbols.

The conventional wisdom now insists on long, complex passwords that should be changed frequently, but this is often a logistical nightmare for companies and a source of annoyance for employees.

Well, it turns out that this kind of password policy might not be the smartest or most secure after all.

Times have changed and so has the official advice from the National Institutes of Standards and Technology (NIST), which is now suggesting 6 to 8 characters without artificial complexity is fine and there’s no need to change it unless you know it has been compromised.

Most organizations have been understandably resistant to this new advice. So, who is right? What is the best password policy? Let’s dig a little deeper into it.


Short and simple or long and complex?

They may be easiest to remember, but there’s a very good reason that it’s a bad idea to have a short and simple password: it’s much easier to guess or crack. It used to be that cybercriminals would take an educated guess at your password or use an automated tool that tries lots of different possible passwords to gain access to your account. But nowadays, most passwords are stolen using common, everyday phishing scams or via compromised password databases.

While it may be less common, guessing and cracking are both techniques that are still employed successfully. That’s because many people still use easy-to-guess passwords, like names of loved ones, favorite sports teams, musicians, and fictional characters they like.

There are also a few incredibly common passwords that many people use. The National Cybersecurity Centre in the U.K. did a survey last year and found an alarming number of people using the following top five:

  • 123456 (23.2 million)
  • 123456789 (7.7 million)
  • qwerty (3.8 million)
  • password (3.6 million)
  • 1111111 (3.1 million)

You may not need to use an incredibly long and complex password, but you should certainly avoid anything as simple as the list above and anything that’s closely associated with you or potentially guessable.

Taking all this into account, it may be easier to just use a long password.

Joining a few random words together can generate a memorable password that’s still tough to guess or crack. From a policy point of view, requiring the use of different case letters, numbers, and symbols may just be the easiest way to prevent someone from using something like “123456789” as their password.


To change or not to change

The need to change passwords across an organization can create extra work for IT departments and is always viewed as a minor annoyance by employees. Is it truly necessary to change your passwords regularly? The truth is, it’s very difficult to say.

The new NIST guidelines suggest that it’s only necessary to change your password when you know it has been compromised, but there’s a major problem with that suggestion. When passwords are compromised cybercriminals don’t tend to let you know.

It can take months to find out if your password is comprised… if you ever do. Take a look at haveibeenpwned.com and you may well find that your details have already been comprised in a data breach. It’s possible that one of your account logins with password has been published somewhere out there for anyone to see, or that it’s circulating in cybercriminal circles in a list for sale.

Despite the advice to the contrary, changing passwords once in a while still seems like a sound protective measure.


The right password policy

Every organization has to find a password policy that works for them and much depends on what you’re trying to protect. Restricting access to the sensitive data that represents the real crown jewels of your business is always a smart move and that’s where you want to focus your protective efforts.

While you want to get your password policy right, there is lower hanging fruit with regard to your security. Most data breaches begin with phishing attacks and social engineering. Even unpatched software comes ahead of password issues. It makes more sense to address those things first and expend more effort on security awareness training before you sink too much time into a password policy.

Having said that, here are some practical recommendations:

  1. Try to use multifactor authentication (MFA) to safeguard the truly sensitive data.
  2. Where you don’t employ MFA, use long, unique, randomly generated passwords with password managers.
  3. If you can’t use password managers, create long, simple passwords or an easy to recall phrase.
  4. Change every password at least once a year, but change business passwords more frequently, perhaps every quarter.
  5. Never use common passwords or easy to guess names.

A word of caution regarding use of free, browser-based password managers: while being convenient repositories for looking up forgotten passwords, they present low-hanging fruit to hackers who can easily grab and dash the full lot. A common issue is that people tend to fall into the bad habit of repeatedly using the same password for everything.

Ultimately, educating your employees with solid security awareness training that encompasses good password policy alongside phishing and social engineering is the best way to make your organization more secure.